Malicious program usually refers to as a program that illegally operates in a computer system without an authorization granted. For example, a computer virus is a kind of malicious programs that operates in a computer system and imperils the security of the computer system.
With the development of computer technology and network technology, various forms of computer viruses emerge. Among the viruses, Rootkit, a kernel-level Trojan virus, is software which is able to hide other programs or processes, and may be a combination of one or more software. Broadly speaking, Rootkit can also be regarded as a technology.
In modern operating systems, an application program can not directly access to hardware but uses hardware by calling an interface provided by an operating system. An operating system manages and dispatches these application programs depending on kernel space. Kernel space consists of four main portions, respectively are: process management (responsible for allocating CPU time), file access (deploying a device into a file system and providing a consistent interface for an upper program calling), security control (responsible for enforcedly defining a specific authority and a separate memory range for each process to avoid conflict between processes), and memory management (responsible for allocation, use, release and recovery of memory resource when a process is operating). The kernel is a data structure. By modifying the data structure of the kernel, the Rootkit technology can hide processes, files, network communications and other relevant information (such as, a registry and a system log which is possibly resulted due to modifications, etc.) of other programs.
Bootkit is a more advanced Rootkits, which could bypass kernel checks and start stealthily by infecting MBR (Master Boot Record). That is to say, Bootkit is a kind of Rootkits based on MBR. It can be considered that, all technologies which may be loaded earlier than the Windows kernel at the time of booting and may achieve the kernel hijack can be refer to as Bootkit, such as subsequent BIOS Rootkit, Vbootkit, SMM Rootkits and so on.
At present, conventional security software for killing all kinds of malicious programs (such as viruses) is mainly based on traditional detection technology of characteristic codes. This is because usually all kinds of malicious programs will run some special instruction codes (i.e. characteristic codes) during operation. By searching the characteristic codes, the malicious programs can be detected. For example, in the detection for Bootkit, since the MBR virus generally has a special nature of residing in an upper memory (i.e., upper address bits in memory), the Bootkit can be detected by searching whether the characteristic codes are in the upper memory.
However, deformations of more and more viruses are occurred, some by junk codes and some by deformation codes. Even now, most viruses are pre-encrypted, and then dynamically decrypted before taking action. Therefore, for these deformed viruses, their instructions are randomly varying while achieving the same effects. These deformed viruses can not be found in accordance with the above method of detecting characteristic codes, thereby bypassing the killing of the conventional security software.
In conclusion, a problem to be solved at present is how to detect deformed malicious programs, especially MBR-based Bootkit viruses or the like.